Search domains in our environment (Proposal)
Mike McGrath
mmcgrath at redhat.com
Thu Dec 20 01:24:09 UTC 2007
seth vidal wrote:
> On Wed, 2007-12-19 at 18:54 -0500, Anand Capur wrote:
>
>> The reason for all of this is the firewall in place at the PHX
>> colo. If
>> that wasn't there we wouldn't need any of the games at all. We
>> could
>> just have foo.fedoraproject.org be resolveable from anywhere
>> and
>> foo.vpn.fedoraproject.org just mean 'go over the vpn to get to
>> it'.
>>
>> seth 'big fan of simple networking' vidal
>> -sv
>>
>> +1, but do we still need the firewall for other things?
>>
>
> So the firewall is something that came with the space. It's red hat's
> firewall and I don't think we have any choice for the hosts inside phx.
>
> In general, I'm a much bigger fan of hosts-based firewalling and
> clamping down on exposure paths that way than an edge firewall for a
> network. In this case it would also make our setup a good bit simpler if
> we didn't have the edge firewall at all.
>
Just so my stance on this is also public. In general I also agree that
it is good to remove the PHX firewall from the mix. The biggest being
IP space. (think about the builders and such). There's also a firewall
there that we could re-implement ourselves. While long term I do want
to re-think our interactions with PHX but I can't say for sure exactly
what that will be. If, for example, we got funding to host all
non-buildsystem stuff in our new German colo, many of these problems
might go away.
I'd very much like to research the alternatives but for now I think the
search domain method would suit us well.
-Mike
More information about the Fedora-infrastructure-list
mailing list